Bitlocker & TPM

Our recommendation for the secure configuration of Bitlocker on Microsoft Windows in combination with TPM is as follows:

Bitlocker is used by Microsoft Windows to encrypt (hard disk) drives.

Drive encryption with Bitlocker is to be distinguished from the standard logon (login screen) in Windows. As a rule, a device encrypted with Bitlocker first decrypts the drive and then the user logs in via the login screen.

Pre-boot authentication takes place before the encryption keys are accessed and therefore represents a further security measure. Various authentication factors (e.g. PIN, start key or both) can be used for this.

The recovery password is a 48-digit number that can be used as a recovery option. This is not requested in the normal authentication process and is to be distinguished from the authentication factors in the context of pre-start authentication.

The TPM (Trusted Platform Module) is used "to securely create and store cryptographic keys and confirm that the operating system and firmware on your device are what they are supposed to be and have not been tampered with." [Q2] TPMs are either in the form of a separate chip on the motherboard (external TPM) or as an integrated part of the CPU chipset (internal TPM).

The TPM has anti-hammering protection. This provides protection against brute force attacks. After 32 failed attempts to enter the pin/password, the anti-hammering protection locks the password entry for 10 minutes. This theoretically allows a maximum of 144 attempts per day (plus the initial 32 attempts).
For example, there are 100000000 (10^8) possible combinations for a randomly generated 8-digit pin. The probability of this pin being brute-forced after 7 days is therefore: 0.00104% ((32 initial attempts + 144 additional attempts per day * 7 days) / 100000000 possible combinations = 0.0000104) or after 1 year 0.053% ((32+144*365) / 100000000 = 0.00052592).

Bitlocker can be operated both with TPM and without TPM. Various additional security measures are offered for both operating modes, which enable multi-level authentication. The following is an overview of the possible operating modes of Bitlocker with/without TPM.

Possible operating modes of Bitlocker with TPM are:

• "TPM only"

  • "This option requires no interaction with the user to unlock the drive and grant access to the drive. If the TPM verification is successful, the user login will be the same as the default login" [Q3]

  • Rating

    • not recommended (see also Why "TPM only" is not enough)

      • + Pre-launch system integrity check

      • + protects (or encryption remains in place) e.g. when removing the hard disk or changing the boot configuration

      • – Device is automatically decrypted during normal device startup (if the TPM check is successful) and switches to standard login after decryption.

• TPM with start key

  • "In addition to the protection that only TPM provides, part of the encryption key is stored on a USB memory stick called a boot key. Data on the encrypted volume cannot be accessed without the boot key." [Q3]

  • Rating:

    • recommended

      • + sufficiently secure, as the drive cannot be decrypted without a start key

      • + / - Self-organization required for managing the start key (security clearly depends on how the USB stick with the start key is stored - if it is permanently inserted, the additional factor is neutralized. It is advisable to attach it to the key ring, for example. In the event of loss, only the recovery password will help)

• TPM with PIN

  • "In addition to the protection provided by the TPM, BitLocker requires the user to enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN." [Q3]

  • Rating:

    • recommended (under the following conditions:)

      • + Anti-hammering protection of the TPM in combination with PIN offers sufficient protection, provided that:

        • PIN was generated randomly (we recommend at least 8 digits) and

        • the user cannot change the PIN independently

      • + PIN is easy to remember and can be typed on any keyboard

      • - If the TPM's anti-hammering protection can be bypassed, the PIN only offers a low level of protection due to its low complexity

• TPM mit erweiterter PIN

  • Like "TPM with PIN", except that the use of characters (including upper and lower case letters, symbols, numbers and spaces) is enabled.

  • Rating:

    • recommended:

      • + Anti-hammering protection of the TPM

      • + More complex password (password should be generated and sufficiently complex) increases security if the TPM's anti-hammering protection can be bypassed

      • – Possible usability challenges (e.g. password creation in DE keyboard layout, later password entry in US keyboard layout)

• TPM with start key and PIN

  • "In addition to the protection provided by the TPM, part of the encryption key is stored on a USB memory stick and a PIN is required to authenticate the user to the TPM." [Q3]

  • Rating:

    • recommended:

      • + More authentication factors increase security

      • + Anti-hammering protection of the TPM

      • + Good option for data / devices with high protection requirements

      • – possibly more effort, there are less complex and yet sufficient procedures that are suitable for normal protection requirements

Possible operating modes of Bitlocker without TPM are

• Start key

  • A start key is required for starting, which can be stored on a USB stick, for example.

  • Rating:

    • Conditionally recommended

      • + Secure with appropriate key management

      • - No pre-start system integrity check (TPM)

      • - Start key can be lost

• Password

  • A password is required to unlock the device.

  • Rating:

    • Conditionally recommended

      • + only recommended if the password is sufficiently complex, as there is no anti-hammering protection and this operating mode is therefore exposed to a brute force attack

      • - no preboot system integrity check (TPM)

      • - Increased effort due to secure management of the complex password (e.g. saving in password manager on smartphone)

When using the "TPM only" operating mode, the encrypted drive is automatically decrypted when the device is started after a successful pre-start system integrity check (via the TPM); no further authentication factor is required as part of the pre-start authentication. The process goes automatically to the standard Windows logon.

The encrypted data is adequately protected in the following attack scenarios:

• System boot configuration is changed (e.g. replacement/installation of faulty hardware components)
• Removing the hard disk and connecting it to another system

The encrypted data is not sufficiently protected in the following attack scenarios:

• Laptop is stolen and switched on: In the case of a stolen laptop, an attacker can decrypt the drive encryption without any action on their part (normal boot process) and only has to overcome the normal standard logon. In this state, the encrypted drive is unencrypted.
• Vulnerabilities in the TPM implementation, e.g:
  • CVE-2022-41099
  • With external TPMs, the key can be read during the boot process by listening to the data channels and the unencrypted data traffic there (an additional authentication factor protects against this)

Drive encryption is therefore weakened by the lack of additional authentication factors. Although exploitation is not trivial, it is still possible with some effort or if there are security gaps in the login or troubleshooting process of the operating system, so the use of "TPM only" is not recommended.

So far, this guide has only dealt with the protection of the "confidentiality" protection objective when using Bitlocker with TPM. At this point, the "availability" protection objective should also be considered:

• When using Bitlocker with TPM, availability (access to the encrypted drive) can be impaired by the TPM system integrity check if parts of the hardware are broken or no longer function properly (e.g. broken CPU/mainboard). In this case, the recovery password is required to regain access.
• When using Bitlocker without TPM, the availability depends solely on the authentication factor used due to the lack of a TPM system integrity check.

Regardless of TPM, the best protection against availability (of encrypted data) is the regular creation of (encrypted) backups.

• [Q1] Bitlocker-Übersicht (Microsoft)
• [Q2] Was ist TPM? (Microsoft)
• [Q3] Bitlocker-Gegenmaßnahmen (Microsoft)
• [Q4] Bitlocker FAQ (Microsoft)
• [Q5] CVE-2022-41099 (Description of SCRT)
• [Q6] TPM-Grundlagen (Microsoft)

Access time: 25.03.2024 14:00